tftp (Trivial File Transfer Protocol) is used for devices that require information from a network server, typically at boot time. It is an extremely simple form of ftp, with most of the security and advanced commands stripped off, it basically allows a device to retrieve (and upload) files from a server in a very simple manner. tftp is almost exclusively used for diskless workstations, router configuration data, and any device that boots up, and requires information it cannot store permanently. As such it presents a rather large security hole, just imagine if someone were to connect to your tftp server and grab the boot file for your main Cisco router.
The stock tftp can be locked down, it accepts a directory name that it is essentially limited to (very similar to chroot), and TCP_WRAPPERS can be used to limit access to certain hosts only, but if you want access control to files you will need to run utftp. By default tftp (at least for Red Hat) defaults to giving access only to the /tftpboot directory (which usually doesn't exist, so create it if you need it). It is a very good idea to keep the tftp directory as separate from the system as possible. This is done by specifying the directory or directories you want tftp to have access to after the tftp command in inetd.conf. The following example starts tftp normally and grants it access to the /tftpboot directory and the /kickstart directory.
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot /kickstart
Also remember tftp uses UDP, so a 'ps xau' won't necessarily show who is logged in or what they are doing (as opposed to ftp which shows up) unless they are currently downloading a file (since most tftp applications revolve around small files it is unlikely you will catch someone in the act). The best place to monitor tftp is from syslog, but even then tftp doesn't log IP addresses or anything truly useful. The following is some ps output, and some syslog output of an active tftp session.
nobody 744 0.0 0.6 780 412 ? R 14:31 0:00 in.tftpd /tftpboot
Apr 21 14:31:15 hostname tftpd[744]: tftpd: trying to get file: testfile Apr 21 14:31:15 hostname tftpd[744]: tftpd: serving file from /tftpboot
TFTP can be easily restricted using TCP_WRAPPERS and firewalling, tftp runs on port 69, UDP so simply restrict access to that needed by your various diskless workstations, routers and the like. It is also a good idea to block all tftp traffic at your network borders, as there is no need for a machine to remote boot using tftp across the Internet/etc. Also tftp runs as the user nobody. But since no authentication is done, and all devices accessing the tftp server are doing so as 'nobody', file level security is pretty well useless. All in all a very, insecure server. TFTP runs on port 69, udp.
ipfwadm -I -a accept -P udp -S 10.0.0.0/8 -D 0.0.0.0/0 69 ipfwadm -I -a accept -P udp -S some.trusted.host -D 0.0.0.0/0 69 ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 69
or
ipchains -A input -p udp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 69 ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 69 ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 69
utftpd is a secure replace for the stock tftpd, it provides much finer access control and support for some other interesting features (such as revision control). You can also base access on the clients IP address, meaning your router configurations and diskless workstation configurations can be kept separate and discrete from each other. utftpd is GPL licensed and available at: https://www.nrw.net/uwe/utftpd.html.
Written by Kurt Seifried |